Cybersecurity coverage being challenged in court has some important points that all businesses should consider.

Links

FindHealthcareIT

HIPAAforMSPS.com

Kardon Compliance

Help Me With HIPAA 

Notes

COLUMBIA CASUALTY COMPANY v. COTTAGE HEALTH SYSTEM

Data breach occurred

  • Breach announcement said: Between October 8, 2013 and December 2, 2013, PHI of approximately 32,500 patients on the CEs servers weredisclosed to the public via the internet.
  • Hospital got voicemail message from a third party, who informed it that he was able to read the PHI online.
  • Patients seen Sept. 29, 2009, to Dec. 2, 2013 included names, addresses, DOB, MR#, Acct#, diag, lab results and procedures performed. No financial information or Social Security numbers were involved
  • Insync, their IT vendor at the time, left anonymous access for FTP traffic active on an internet servers on or about Oct. 8, 2012. The change allowed ePHI to become available to the public via Google’s internet search engine. The server was taken offline immediately on Dec 2 once the call came in.
    • Insync doesn’t mention healthcare on their website any more
    • People make mistakes even the IT folks – theirs are just big ones

Law Suits and Investigations

  • Civil Suit filed January 27, 2014 and settled December 2014
    • $4,125 million along with related expenses and attorneys’
      fees
    • 50,917 patients included in the settlement
  • On-going investigation for HIPAA violations currently
    • Involves CA Dept of Justice and likely OCR
    • The DOJ Proceeding will determine whether Cottage complied with its
      obligations under HIPAA and any other pertinent state and federal laws and may potentially result in the imposition of fines, sanctions or penalties.

Insurer Columbia Casualty filed suit

  • Saying they shouldn’t have to pay the claim for the $4.1 nor any expense they have or will incur over this case
    • Columbia also seeks a declaration of its entitlement to reimbursement in full from Cottage for any and all attorney’s fees or related costs or expenses Columbia has paid or will pay in connection with the defense and settlement of the class action lawsuit and any related proceedings and an award of damages consistent with such declaration.
  • INSYNC, the IT company, does not maintain sufficient liquid assets to contribute towards the proposed settlement fund and does not maintain liability insurance that applies with respect to the privacy claims asserted in the Underlying Action.

Why does Columbia think they shouldn’t pay?

  • The Columbia Policy contains the following exclusion: Whether in connection with any First Party Coverage or any Liability Coverage, the Insurer shall not be liable to pay any Loss: Failure to Follow Minimum Required Practices based upon, directly or indirectly arising out of, or in any way involving… Any failure of an Insured to continuously implement the procedures and risk controls identified in the Insured’s application for this Insurance and all related information submitted to the Insurer in conjunction with such application whether orally or in writing; This Policy shall be null and void if the Application contains any misrepresentation or omission: a. made with the intent to deceive, or b. which materially affects either the acceptance of the risk or the hazard assumed by the Insurer under the
    Policy.
  • The Columbia Policy application contained the following questions that were answered by the hospital
    • Do you check for security patches to your systems at least weekly
      and implement them within 30 days? • Yes
    • Do you replace factory default settings to ensure your information
      security systems are securely configured? • Yes
    • Do you re-assess your exposure to information security and
      privacy threats at least yearly, and enhance your risk controls in
      response to changes? • Yes
    • Do you outsource your information security management to a
      qualified firm specializing in security or have staff responsible for
      and trained in information security? • Yes
    • Whenever you entrust sensitive information to 3rd parties do
      you…

      • contractually require all such 3rd parties to protect this
        information with safeguards at least as good as your own • Yes
      • perform due diligence on each such 3rd party to ensure that
        their safeguards for protecting sensitive information meet your standards (e.g. conduct security/privacy audits or review findings of independent security/privacy auditors) • Yes
      • Audit all such 3rd parities at least once per year to ensure that
        they continuously satisfy your standards for safeguarding
        sensitive information? • Yes
      • Require them to either have sufficient liquid assets or
        maintain enough insurance to cover their liability arising from
        a breach of privacy or confidentiality. • Yes (Which INSYNC did not)
      • Do you have a way to detect unauthorized access or attempts to
        access sensitive information? • Yes
      • Do you control and track all changes to your network to ensure it
        remains secure? • Yes
  • Failure to Follow Minimum Required Practices is clear according to the ins company which is why they shouldn’t have to pay
    • failure to replace factory default settings its failure to ensure that its information security systems were securely configured
    • failure to regularly check and maintain security patches on its systems
    • failure to regularly re-assess its information security exposure and enhance risk controls
    • failure to have a system in place to detect unauthorized access or attempts to access sensitive information stored on its servers
    • failure to control and track all changes to its network to ensure it remains secure

Final Notes

  • If you don’t have coverage you really should be looking at it because this isn’t going to get easier as these things continue to occur.
  • If you do have coverage you should revisit that application and check that you are following the standards you said you were doing in the policy. This probably won’t be the first time this kind of thing comes up.
  • If you are a BA, you should check yourself and your coverage because your clients may start asking you what you have covered in order to do business with them.

Check out this episode!